[Dovecot] Broken IMAPS Connects Create Lingering imap-login Processes
Timo Sirainen
tss at iki.fi
Tue May 6 12:14:38 UTC 2014
On 5.5.2014, at 23.13, Jochen Bern <Jochen.Bern at LINworks.de> wrote:
> we are running a central server (CentOS 6.5, dovecot-2.0.9-7.el6 with a
> small patch to disable the IMAP CREATE command, and
> openssl-1.0.1e-16.el6_5.7) and distribute standard client software to
> customer( site)s.
>
> One of the customers has a major networking problem that hasn't been
> fully analyzed yet. Sniffing his IMAPS connects on the server side, I
> see no (necessarily fragmented) TLSv1 Client Cert + Key Exchange happen;
> instead, after ~60s, we receive a single packet with "TLSv1 Certificate
> Verify, Change Cipher Spec, Encrypted Handshake Message" *and* the TCP
> FIN+PSH+ACK flags set.
>
> The problem I'ld like to ask for help with here is that dovecot's
> imap-login process doesn't terminate when the FIN is received, or when
> the IMAP protocol's inactivity timeout is reached, it takes *more than
> two hours* for it to go away. Because of that, this single client racks
> up 1100+ processes (counting against dovecot's configured limits), TCP
> connections, and the associated RAM usage.
..
> dovenull 12064 0.0 0.0 42440 3656 ? S 19:32 0:00 \_ dovecot/imap-login [1 connections (1 TLS)]
The process is taking 0% CPU? There was bug where a broken handshake could have caused 100% CPU usage. Maybe the same problem could happen in a slightly different way and also not cause CPU usage. http://hg.dovecot.org/dovecot-2.2/rev/c0236d1c4a04 fixes this.
Although even then .. I'm not sure why the process wouldn't die sooner. And Dovecot especially should kill old imap-login processes that haven't logged in if it reaches the imap-login process limit.
> # 2.0.9: /etc/dovecot/dovecot.conf
I'd anyway try v2.2 first..
More information about the dovecot
mailing list